News

As More Accounts Link to Phone Numbers, Identity Thieves Turn to Hijacking the Numbers Themselves

By:

Chris Gaetano

Published Date:

Aug 24, 2017

Identity thieves are adapting to an increasingly popular security practice of requiring accounts to be linked to a phone number by tricking carriers into letting them hijack the number itself, allowing them access personally information nearly unimpeded, according to the New York Times.

Two- or multi-factor authentication usually involves logging into an account via both a traditional user password and a code sent to a mobile device right after. Without both the password and the device, it is impossible to access the account. The use of this process has been growing rapidly as more people seek to guard themselves against identity theft and other malicious hacking. Paradoxically, though, the rise of such systems has made the phone number a particularly visible weak point against the very same attacks they're meant to guard against, according to the Times.

So, instead of trying to directly access an account linked to a phone number, an identity thief will instead contact their victims' mobile phone company, pretend to be them, and get the provider to switch their phone number to a device in the thief's possession. Once this happens, they can then tell whatever account they want to access that they need to reset their password, at which point a code appears on the new device enabling them to do so. The Times said the impersonator will generally say there was some kind of emergency necessitating the move, and if the agent doesn't believe them, they simply hang up and try again with a different person, sometimes making dozens or even hundreds of attempts in a row in order go find someone who will. Chillingly, such takeovers can be successful even if the victim is aware of it happening in real-time: the transfer only takes a few minutes, once the number is transferred.

While many have been victims of this technique (such attacks have gone from 1,038 in 2013 to 2,658 in 2016), it seems particularly aimed at holders of virtual currencies like Bitcoin. The Times noted that, unlike banks, virtual currency exchanges tend not to be able to reverse transactions, sometimes by design.